From 786af9f6a9d9d6f6d3480607a14b9a3ad0fad579 Mon Sep 17 00:00:00 2001
From: Addison Crump <addison.crump@cispa.de>
Date: Sun, 12 Mar 2023 23:24:22 +0100
Subject: [PATCH] resolve zero-sized allocation in swap diff fuzzer (#1139)

---
 .../Makefile.toml                             |  2 +-
 .../baby_fuzzer_swap_differential/src/main.rs | 25 ++++++++++---------
 2 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/fuzzers/baby_fuzzer_swap_differential/Makefile.toml b/fuzzers/baby_fuzzer_swap_differential/Makefile.toml
index 0290f2dadc..c37f199fe1 100644
--- a/fuzzers/baby_fuzzer_swap_differential/Makefile.toml
+++ b/fuzzers/baby_fuzzer_swap_differential/Makefile.toml
@@ -32,7 +32,7 @@ windows_alias = "unsupported"
 script_runner = "@shell"
 script='''
 timeout 10s ${CARGO_TARGET_DIR}/release/${FUZZER_NAME} >fuzz_stdout.log || true
-if [ -z "$(grep "corpus: 30" fuzz_stdout.log)" ]; then
+if [ -z "$(grep "objectives: 1" fuzz_stdout.log)" ]; then
     echo "Fuzzer does not generate any testcases or any crashes"
     exit 1
 else
diff --git a/fuzzers/baby_fuzzer_swap_differential/src/main.rs b/fuzzers/baby_fuzzer_swap_differential/src/main.rs
index 5f20250dc9..684400935d 100644
--- a/fuzzers/baby_fuzzer_swap_differential/src/main.rs
+++ b/fuzzers/baby_fuzzer_swap_differential/src/main.rs
@@ -24,7 +24,7 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::{HasSolutions, StdState},
 };
-use libafl_targets::{DifferentialAFLMapSwapObserver, MAX_EDGES_NUM};
+use libafl_targets::{edges_max_num, DifferentialAFLMapSwapObserver};
 #[cfg(not(miri))]
 use mimalloc::MiMalloc;
 
@@ -89,13 +89,15 @@ pub fn main() {
         }
     };
 
+    let num_edges: usize = edges_max_num();
+
     #[cfg(feature = "multimap")]
     let (first_map_observer, second_map_observer, map_swapper, map_observer) = {
         // initialize the maps
         unsafe {
-            let layout = Layout::from_size_align(MAX_EDGES_NUM, 64).unwrap();
-            FIRST_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM);
-            SECOND_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM);
+            let layout = Layout::from_size_align(num_edges, 64).unwrap();
+            FIRST_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges);
+            SECOND_EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges);
             COMBINED_EDGES = [&mut FIRST_EDGES, &mut SECOND_EDGES];
         }
 
@@ -128,19 +130,18 @@ pub fn main() {
     let (first_map_observer, second_map_observer, map_swapper, map_observer) = {
         // initialize the map
         unsafe {
-            let layout = Layout::from_size_align(MAX_EDGES_NUM * 2, 64).unwrap();
-            EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), MAX_EDGES_NUM * 2);
+            let layout = Layout::from_size_align(num_edges * 2, 64).unwrap();
+            EDGES = core::slice::from_raw_parts_mut(alloc_zeroed(layout), num_edges * 2);
         }
 
         // create the base maps used to observe the different executors by splitting a slice
-        let mut first_map_observer = unsafe {
-            StdMapObserver::from_mut_ptr("first-edges", EDGES.as_mut_ptr(), MAX_EDGES_NUM)
-        };
+        let mut first_map_observer =
+            unsafe { StdMapObserver::from_mut_ptr("first-edges", EDGES.as_mut_ptr(), num_edges) };
         let mut second_map_observer = unsafe {
             StdMapObserver::from_mut_ptr(
                 "second-edges",
-                EDGES.as_mut_ptr().add(MAX_EDGES_NUM),
-                MAX_EDGES_NUM,
+                EDGES.as_mut_ptr().add(num_edges),
+                num_edges,
             )
         };
 
@@ -155,7 +156,7 @@ pub fn main() {
             HitcountsMapObserver::new(StdMapObserver::differential_from_mut_ptr(
                 "combined-edges",
                 EDGES.as_mut_ptr(),
-                MAX_EDGES_NUM * 2,
+                num_edges * 2,
             ))
         };